Machine Creator: eks& rjesh
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.90
nmap -sU 10.10.10.90
To figure out what version of windows this is running we can attempt to access the user directories. As you can see in this example “c:\users” does not exist, however “C:\Documents and Settings” does exist. Also having to access this directory using the short name “/docume~1” makes me think this is an XP box. Short names were used for older drive formatting that had a naming convention of 8 characters or less.
We can test if this is a 64-bit operating system. Using the short names, we can see that “c:\Program Files” is present, however “c:\Program Files (x86)” does not exist so this has to be a 32-bit machine.
Now we need to start generating our payload. We can exploit wmi using the psexec module in MSF.
First, we need to select the psexec module
then we need to drop down into an interactive ruby shell
now we need to generate our mof file. We will include NC command along with our local IP and port 1337.
NC.exe is not in windows by default, so we need to upload it using TFTP.
First, we should copy nc.exe to our current directory.
Now we can upload nc.exe to the remote server.
nc -lvnp 1337
1337 is our local port to listen on.
Upload mof file
The directory that we will be uploading to will auto execute the file.
put exploit.mof /windows/system32/wbem/mof/exploit.mof
We have another directory on the desktop for flags lets check that out.
We have another file called “2 for the price of 1!.txt.”
If you noticed the text in this file, we have a couple of hints. ADS is all caps and refers to Alternate Data Streams, and 2 for the price of 1 can mean there are 2 data streams.
We need to download a program called streams by Sysinternals this will allow us to view alternate data streams.
Now we can view the file using streams. Sysinternals always requires you to accept the EULA, and we can use a wildcard character for the file name.
streams -accepteula 2*